Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/5/2010
04:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Social Engineers Successfully Gather Info

The Defcon18 contest worked well -- too well -- its organizers say

The one glimmer of hope during last week's social-engineering contest at Defcon18 was when two different employees at a major retailer separately shut down a contestant trying to smooth-talk his way into gathering sensitive information on their company.

"One of them said the questions [asked of her] sounded 'fishy'" and that she couldn't answer the questions for security reasons, says Chris Hadnagy, founder of social-engineer.org, which sponsored the Social Engineering Capture The Flag contest in Las Vegas last week. "We all clapped -- we thought that [reaction] was great. Unfortunately, the contestant [then] got a different lady at a different location of the company and was successful."

Success was the overwhelmingly disturbing trend in the contest, where around 17 people had 25 minutes to social-engineer by phone information out of a specific company they were assigned to. Each contestant had been assigned a "target" company in advance of the contest, and were allowed to gather as much information as they could passively (no phone calls, email, or direct contact) before the big showdown in Vegas.

They scored points based on the predesignated "flags" they were able to capture -- everything from finding out who supplies the company's in-house caf food to the type of browser and version they use, their antivirus program, and who handles the trash dumpsters. The flag that brought home the highest number of points was getting the employee to visit a URL, and each of the target company's employees that were given the URL visited it.

All of the contestants were able to social-engineer information out of their targeted companies, some posing as journalists, IT survey-takers, and businessmen, for instance. The list of companies targeted in the contest included Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart. The contest organizers won't reveal which company's employees gave up what information, but the bottom line is that it worked better than the organizers had anticipated.

"I didn't expect it to go as well as it did. In this day and age, I thought more companies would be a lot more security-conscious and not give out such detailed information," says Hagnagy, who is also operations manager for Offensive-Security.com. "From a security professional's standpoint, it was discouraging that this is a massive subset of corporate America -- oil, retail, manufacturing, phone, and security companies. It's a little scary."

Hagnagy says in all cases but one, where the contestant was unable to get a person on the phone at all, the social engineering exploits worked. The contestants each came up with their own pretext for the call, using their own styles and personas. "Every company where we were able to contact a human, they were successful at social-engineering them," he says.

He says the fact that some of the employees visited a URL at the urging of the social engineering caller raises a red flag. "The fact that we can make them go to a URL after we asked them what type of browser they had" is worrisome, according to Hagnagy. The outcome would have been severe if an attacker were able to the same with a malicious page, according to Hagnagy.

Meanwhile, the contestants were limited to what they could gather from the target firm: They weren't allowed to do anything illegal, including get credit card or social security numbers, passwords, or to make the target feel "at risk" in any way, and they weren't allowed to pose as any government agency, law enforcement, or legal entity as a ruse to get information.

The winner of the contest, "Scott," used the pretext of a businessman. "Believing he was who he said he was" was a winning recipe, Hagnagy says. Another pretext that worked for contestants was asking for help. "The magic words, 'Can you please help me?' triggers a sort of automatic response in the human psyche," he says.

Dave Marcus, research and communications director for McAfee Labs, says the contest should serve as teaching moment for companies. But it's not all about training employees, he says. "This is exceptionally difficult. You can social-engineer anybody provided that you know enough about them and are persistent enough," he says. "I think rather than having some generic walk-through course on this, you should put employees into scenario-based training ... have them sit through getting socially engineered and have them go through what it's like to get phished on the phone versus some slide deck saying, 'This is social engineering.'"

Marcus, who spoke at Defcon about a social engineering project of his own using social networks, says it's not difficult to build a profile of a person based on their Tweets, blogs, and other online activity in order to social-engineer them.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-3446
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-0536
PUBLISHED: 2021-06-22
In dropFile of WiFiInstaller, there is a way to delete files accessible to CertInstaller due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Andr...
CVE-2021-0537
PUBLISHED: 2021-06-22
In onCreate of WiFiInstaller.java, there is a possible way to install a malicious Hotspot 2.0 configuration due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions...
CVE-2021-0538
PUBLISHED: 2021-06-22
In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible exit of emergency callback mode due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: A...
CVE-2021-0539
PUBLISHED: 2021-06-22
In archiveStoredConversation of MmsService.java, there is a possible way to archive message conversation without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploit...